ssl on; # See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization keepalive_timeout 75 75; ssl_session_timeout 5m; ssl_session_cache shared:SSL:5m; # XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST # attack. Sadly as of 2013 many clients don't support TLSv1.2, though. # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 # in favor of RC4, but that's not satisfactory either since RC4 has # other weaknesses. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; ssl_dhparam /etc/ssl/private/dhparams.pem; ssl_prefer_server_ciphers on; # Strict Transport Security header for enhanced security. See # http://www.chromium.org/sts. add_header Strict-Transport-Security "max-age=15552000";